1227760 – Overcloud: The firewall is not being set on the overcloud nodes.

Bug 1227760 - Overcloud: The firewall is not being set on the overcloud nodes.

Summary: Overcloud: The firewall is not being set on the overcloud nodes.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	Director
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	12.0 (Pike)
Assignee:	James Slagle
QA Contact:	Gurenko Alex
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-03 12:44 UTC by Leonid Natapov
Modified:	2023-02-22 23:02 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-13 20:33:46 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:3462	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Description Leonid Natapov 2015-06-03 12:44:41 UTC

Overcloud: The firewall is not being set on the overcloud nodes.
The firewall looks wide open:

[heat-admin@ov-mcfvsattoaz-0-y3sfbsfdid7s-controller-xpsc256pbjaf ~]$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.0.2.11           tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0           
[heat-admin@ov-mcfvsattoaz-0-y3sfbsfdid7s-controller-xpsc256pbjaf ~]$

Comment 3 Rodrigo Duarte 2016-10-07 17:46:17 UTC

For reference, here is the output in OSP 10 (controller node):

[heat-admin@controller-0 ~]$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8042 /* 100 aodh_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13042 /* 100 aodh_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8777 /* 100 ceilometer_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13777 /* 100 ceilometer_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8776 /* 100 cinder_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13776 /* 100 cinder_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292 /* 100 glance_api_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13292 /* 100 glance_api_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9191 /* 100 glance_registry_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            /* 100 glance_registry_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8041 /* 100 gnocchi_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13041 /* 100 gnocchi_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8004 /* 100 heat_api_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13004 /* 100 heat_api_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000 /* 100 heat_cfn_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13005 /* 100 heat_cfn_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8003 /* 100 heat_cloudwatch_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13003 /* 100 heat_cloudwatch_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 35357 /* 100 keystone_admin_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13357 /* 100 keystone_admin_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000 /* 100 keystone_public_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13000 /* 100 keystone_public_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696 /* 100 neutron_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13696 /* 100 neutron_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8775 /* 100 nova_metadata_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            /* 100 nova_metadata_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080 /* 100 nova_novncproxy_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13080 /* 100 nova_novncproxy_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8774 /* 100 nova_osapi_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13774 /* 100 nova_osapi_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8386 /* 100 sahara_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13386 /* 100 sahara_haproxy_ssl */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080 /* 100 swift_proxy_server_haproxy */ state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13808 /* 100 swift_proxy_server_haproxy_ssl */ state NEW
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0          
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0          
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0          
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0          
 
Chain nova-api-FORWARD (1 references)
target     prot opt source               destination        
 
Chain nova-api-INPUT (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.110           tcp dpt:8775
 
Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination        
 
Chain nova-api-local (1 references)
target     prot opt source               destination        
 
Chain nova-filter-top (2 references)
target     prot opt source               destination        
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0

Comment 9 James Slagle 2017-08-07 19:53:19 UTC

QA: verify that there is a default drop all rule in the INPUT chain.
all traffic that does not match an earlier explicit rule should be dropped by the drop all rule.

Comment 11 Artem Hrechanychenko 2017-11-07 17:49:44 UTC

puppet-tripleo-7.4.3-0.20171025110206.el7ost.noarch

on controller-0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            state NEW /* 001 accept all icmp ipv4 */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW /* 002 accept all to lo interface ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22 state NEW /* 003 accept ssh ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8042 state NEW /* 100 aodh_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13042 state NEW /* 100 aodh_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8776 state NEW /* 100 cinder_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13776 state NEW /* 100 cinder_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292 state NEW /* 100 glance_api_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13292 state NEW /* 100 glance_api_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8041 state NEW /* 100 gnocchi_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13041 state NEW /* 100 gnocchi_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8004 state NEW /* 100 heat_api_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13004 state NEW /* 100 heat_api_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000 state NEW /* 100 heat_cfn_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13005 state NEW /* 100 heat_cfn_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 35357 state NEW /* 100 keystone_admin_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000 state NEW /* 100 keystone_public_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13000 state NEW /* 100 keystone_public_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 3306 state NEW /* 100 mysql_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696 state NEW /* 100 neutron_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13696 state NEW /* 100 neutron_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8775 state NEW /* 100 nova_metadata_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080 state NEW /* 100 nova_novncproxy_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13080 state NEW /* 100 nova_novncproxy_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8774 state NEW /* 100 nova_osapi_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13774 state NEW /* 100 nova_osapi_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8778 state NEW /* 100 nova_placement_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13778 state NEW /* 100 nova_placement_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8977 state NEW /* 100 panko_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13977 state NEW /* 100 panko_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6379 state NEW /* 100 redis_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080 state NEW /* 100 swift_proxy_server_haproxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 13808 state NEW /* 100 swift_proxy_server_haproxy_ssl ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 873,3123,3306,4444,4567,4568,9200 state NEW /* 104 mysql galera-bundle ipv4 */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 123 state NEW /* 105 ntp ipv4 */
ACCEPT     112  --  0.0.0.0/0            0.0.0.0/0            state NEW /* 106 neutron_l3 vrrp ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1993 state NEW /* 107 haproxy stats ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 3124,6379,26379 state NEW /* 108 redis-bundle ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 3122,4369,5672,25672 state NEW /* 109 rabbitmq-bundle ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,13000,35357,13357 state NEW /* 111 keystone ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292,13292 state NEW /* 112 glance_api ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8773,3773,8774,13774,8775 state NEW /* 113 nova_api ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696,13696 state NEW /* 114 neutron api ipv4 */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 67 state NEW /* 115 neutron dhcp input ipv4 */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 4789 state NEW /* 118 neutron vxlan networks ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8776,13776 state NEW /* 119 cinder ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 3260 state NEW /* 120 iscsi initiator ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 11211 state NEW /* 121 memcached ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080,13808 state NEW /* 122 swift proxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 873,6000,6001,6002 state NEW /* 123 swift storage ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8004,13004 state NEW /* 125 heat_api ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000,13800 state NEW /* 125 heat_cfn ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW /* 127 horizon ipv4 */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 161 state NEW /* 127 snmp ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8042,13042 state NEW /* 128 aodh-api ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8041,13041 state NEW /* 129 gnocchi-api ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 2224,3121,21064 state NEW /* 130 pacemaker tcp ipv4 */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5405 state NEW /* 131 pacemaker udp ipv4 */
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0            /* 136 neutron gre networks ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080,13080 state NEW /* 137 nova_vnc_proxy ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8778,13778 state NEW /* 138 nova_placement ipv4 */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8125 state NEW /* 140 gnocchi-statsd ipv4 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8977,13977 state NEW /* 140 panko-api ipv4 */
LOG        all  --  0.0.0.0/0            0.0.0.0/0            state NEW /* 998 log all ipv4 */ LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state NEW /* 999 drop all ipv4 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 68 state NEW /* 116 neutron dhcp output ipv4 */

Comment 14 errata-xmlrpc 2017-12-13 20:33:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.